IEC 81001-5-1 §5.7 software system testing and ISO 13485 §7.3.5 design review — penetration testing is a specialized security verification layer on top of existing V&V activities.
FDA V.C requires scope from threat model, documented methodology (OWASP/PTES/NIST), CVSS-rated findings with proof-of-concept, and retest evidence for critical/high findings.
Scope traceability to threat model attack surfaces, tester independence documentation, and retest records for critical/high findings — generic web-app tests not tied to the device's threat model are routinely flagged.
Maps to
FDA Cybersecurity: §V.C Cybersecurity Testing
ISO 13485: §7.3.5 Design and development review
Pre-QMSR Part 820 (legacy QSR): §820.30(e) Design review.
IEC 81001-5-1: §5.7 Software system testing
Requirement text
FDA's Premarket Cybersecurity Guidance recommends that the manufacturer provide evidence of penetration testing as part of premarket cybersecurity documentation. The penetration test should cover the scope defined by the threat model, use appropriate tools and methodologies, and document all findings with severity ratings. Critical and high findings should be remediated before submission, or compensating controls and risk justification provided.
Why this clause exists
Vulnerability scanning identifies known CVEs against listed components, but it cannot determine whether those vulnerabilities are exploitable in the specific product configuration or whether novel attack paths exist that no CVE database yet captures. Penetration testing occupies a structurally different role: a skilled adversary simulates realistic attack chains against the actual running system, following paths that static analysis cannot surface, and produces findings whose validity is demonstrated by working proof-of-concept rather than theoretical exposure. The pattern FDA guidance V.C targeted was a common one — manufacturers submitting vulnerability scan reports as their security testing evidence, with no demonstration that the device could withstand an active attempt at exploitation. Generic web application test reports with no connection to the device's threat model were similarly common: a test that did not cover the wireless interface, proprietary protocol, or clinical network integration left the most device-specific attack surfaces completely unexamined. The FDA expectation for tester qualifications and independence reflects the observation that internal developer pen tests systematically underperform on the device's own interfaces, where familiarity with the implementation creates blind spots that an external tester without the source code does not share.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- Penetration testing not scoped to threat model or independently performed — Pen test reports show generic web application testing not scoped to the device's threat model. FDA expects tests on the final production-equivalent version covering network, application, and firmware layers. Critical findings listed as 'accepted risk' without adequate justification. Testers are internal developers lacking independence.